Hands-On Penetration Testing on Windows
上QQ阅读APP看书,第一时间看更新

Local IPv6 reconnaissance and the Neighbor Discovery Protocol

So, you're on the network and you need to do some recon to find out what's out there in IPv6 land. I know what the hacker in you is thinking at this point: well, it was feasible to scan even large swaths of IPv4 address space, but a 2128 address space? That's just a waste of time at best. Right you are! In fact, trying to combine the -6 flag in Nmap with a range of addresses will give you an error. So, we have to think a little differently about host discovery.

Before we pull out the offensive toolkit, let's go back to basics with ping. If you review the man page for ping, you'll find IPv6 support; but, we can't do a ping sweep like the good old days. Not a problem, we'll just ping the link-local multicast address. By definition, this will prompt a reply from our friendly neighbors and we'll have some targets. There's a nice chunk of multicast addresses defined for IPv6 for different purposes (for example, all routers on the local segment, RIP routers, EIGRP routers, and so on), but the one to memorize for now is ff02::1. We'll be effectively mimicking the Neighbor Discovery Protocol's solicitation/advertisement process.

We're going to fire off an IPv6 ping command pointing at the link-local multicast address ff02::1 to trigger responses from hosts on our segment, which will populate the neighbor table; then, we'll ask ip to show us those discovered neighbors: 

# ping -6 -I wlan0 -c 10 ff02::1 >/dev/null
# ip -6 neigh show

Notice a pattern with the responses? All of the addresses belong to fe80::/10. The hosts responded with a link-local address, which it will have in addition to any globally unique address. We did gather this by pinging the link-local multicast address, after all. Pinging is an active task; by conducting some passive listening, we may hear devices confirming via the ICMP6 neighbor solicitation and Duplicate Address Discovery (DAD) process that their assigned address is in fact unique. So, now we open up our offensive toolkit.

The standard Swiss Army knife of IPv6 poking and prodding is THC-IPV6, included with Kali Linux. We command the detect-new-ip6 tool to listen on our interface for any ICMP6 DAD messages:

# atk6-detect-new-ip6 wlan0

Now, we've gathered some targets to start scanning for services with the -6 flag in Nmap.